'Five Eyes' Nations Blame China for APT10 Attacks

The United States, United Kingdom, Canada, Australia and New Zealand officially blamed China on Thursday for the cyberattacks launched by a threat group known as APT10 against organizations around the world.

The US Department of Justice charged Chinese nationals Zhu Hua and Zhang Shilong with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The charges are related to their involvement in APT10 and the attacks launched by the group in the past decade against organizations in a wide range of sectors.

According to US authorities, the suspects work for a Chinese company called Huaying Haitai Science and Technology Development Company in the city of Tianjin, and they are associated with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

The APT10 group has been active since at least 2006 and it has hacked a significant number of organizations in an effort to obtain intellectual property and business and technological information. The threat actor has also been tracked as Stone Panda, MenuPass, POTASSIUM, CVNX and Red Apollo.

The charges are related to APT10’s attacks against managed services providers (MSPs) around the world, and tens of tech companies and government agencies in more than a dozen US states.

APT10 targeted MSPs due to the fact that these types of companies typically have remote access to their customers’ infrastructure. As part of attacks on MSPs, known in the cybersecurity industry as Operation Cloud Hopper, the hackers used malware to steal credentials that would give them access to the systems of MSP customers.

According to authorities, the victims of this operation included a global financial institution, three companies involved in commercial or industrial manufacturing, three telecommunications and consumer electronics firms, a healthcare company, an automotive supplier, a drilling company, a biotechnology company and two consulting companies. While the Justice Department has not named any of the victims, Reuters reported that the list includes HPE and IBM.

As for APT10’s other operations, authorities say the hackers targeted more than 45 tech companies and government agencies in at least 12 states, stealing hundreds of gigabytes of sensitive information. It also appears that the breach disclosed by the U.S. Navy in 2016, which involved HPE and resulted in the details of over 100,000 individuals getting compromised, may have been the work of APT10.

The charged individuals, Zhu and Zhang, among other things, are said to have registered malicious domains and infrastructure for APT10. Zhang also developed and tested malware for the group, and Zhu, who works as a penetration tester, engaged in hacking operations and recruited new members.

China officially blamed for APT10 attacks by Five Eyes

The United States, United Kingdom, Australia, Canada, the United Kingdom and New Zealand have all issued statements condemning China, and specifically its Ministry of State Security (MSS), for sponsoring the APT10 attacks.

The Japanese government has also issued a statement, but its statement is more cautious. In the past years, cybersecurity firms detailed several APT10 campaigns targeting Japan.

“This campaign shows that elements of the Chinese government are not upholding the commitments China made directly to the UK in a 2015 bilateral agreement. It is also inconsistent with G20 commitments that no country should conduct or support ICT enabled theft of intellectual property, including trade secrets or other confidential business information,” the UK said.

Australia, whose Cyber Security Center issued advice for MSPs and their customers on how to limit exposure and protect information, also pointed to G20 commitments and called on China to uphold them. Australia and China reaffirmed these commitments bilaterally in 2017.

“When it is in our interests to do so, Australia publicly attributes cyber incidents, especially those with the potential to undermine global economic growth, national security and international stability,” Australia’s Minister for Home Affairs for Minister for Foreign Affairs said in a joint statement.

Canada’s Communications Security Establishment (CES) says it “assesses that it is almost certain that actors likely associated with the People’s Republic of China (PRC) Ministry of State Security (MSS) are responsible for the compromise of several Managed Service Providers (MSP), beginning as early as 2016.”

New Zealand became aware of the APT10 campaign in early 2017. The country’s Government Communications Security Bureau (GCSB) says it has found links between the Chinese MSS and APT10, and called on China to uphold the agreement it made with other APEC economies in November 2016.

“Around a third of the serious incidents recorded by the NCSC can be linked to state-sponsored actors. This ongoing activity reinforces the importance of organisations having strong cyber security measures across their supply chain,” said Andrew Hampton, Director-General of the GCSB.

The Chinese MSS has been linked to several high-profile attacks and threat groups, including the recently disclosed Marriott hack and the actor tracked as APT3.

Five Eyes nations recently banned products from Chinese-owned telecommunications giant Huawei, citing security concerns, but the company has denied any wrongdoing and highlighted the lack of evidence.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.